Upload
hungspkt
View
217
Download
0
Embed Size (px)
Citation preview
7/31/2019 05 M3 Firewall Technology
1/34
Firewall TechnologiesModule 3
ObjectivesAfter completing this module, you will be able to:
Define the termfirewall, list the main types of firewalls, explain how eachfirewall technology fits in the OSI model, and describe how firewalls are used
to protect a computer network.
Explain how packet-filter gateway technology works and list the advantages
and disadvantages of packet-filter technology.
Explain how firewall servers are used to protect a network, describe wherefirewall servers are typically placed in the network infrastructure, and describe
the typical firewall server configurations.
Explain how application-level firewalls work.
Explain how stateful-inspection firewalls work.
Explain how circuit-level firewalls work.
List the criteria you should use when evaluating a firewall product.
List the general steps you would use to deploy a firewall.
Rev. 0.11 3 1
7/31/2019 05 M3 Firewall Technology
2/34
Compaq Security Solutions
Overview of Firewall Technologies
Internal Network
Internet
External NetworkFirewall
Firewalls are barriers created between trusted private networks and untrusted
networks such as the Internet. Firewalls are used to:
Examine all inbound and outbound traffic, allowing only authorized traffic to
pass.
Protect internal networks from external networks.
Form a security barrier between parts of an organization.
The major objective of a firewall is to protect one network from another.
Firewalls are an important part of network security. Without a firewall, the
possibility of security breaches from external and internal sources is greatly
increased. To protect your network from attacks, installing and maintaining afirewall is an important part of network operations.
The termfirewallhas many uses and is therefore often confusing. Firewall can mean
a specific hardware component, such as a firewall server, a packet-filtering router, or
a security software package. Alternatively, it can refer to the complete collection ofcomponents which are used to form a barrier between a trusted and an untrusted
network, which is how this term is used in this course. Individual components are
referred to in specific terms, such asfirewall server,packet-filtering router, andfirewall software.
3 2 Rev. 0.11
7/31/2019 05 M3 Firewall Technology
3/34
Module 3
What Is a Firewall?
In the simplest terms, a firewall is a set of components placed between two networks
that have the following characteristics:
All traffic from inside to outside, and outside to inside, must pass through thefirewall.
Only authorized traffic, as defined by the security policy, will be allowed topass through the firewall.
The firewall itself must be immune from penetration.
The objective of a firewall is to protect an internal (trusted) network from an
external (untrusted) network. An untrusted network is one from which unwantednetwork intrusions can originate. The goal of your firewall should be to preventunauthorized access to sensitive data, while allowing legitimate users to have
unencumbered access to network resources.
Firewalls track and control data, deciding whether to pass, drop, reject, encrypt, orlog the data. Firewalls ensure that data meets the rules of an enterprise's network
security policy.
!Important
A firewall cannot protect the network against malicious authorized users.Research indicates that most network attacks occur from within an
organization. A firewall cannot protect connections that do not pass through
the firewall.
The firewall is the main tool for implementing an organization's network security
policy. In addition to a solid firewall strategy, a network will likely need solidauthentication, security, and privacy enhancement techniques to enhance the
network security or implement other aspects of the network security policy.
Rev. 0.11 3 3
7/31/2019 05 M3 Firewall Technology
4/34
Compaq Security Solutions
Firewalls and the OSI Model
Presentation
Application
Session
Transport
Network
Data Link
Physical
OSIModel
Application Firewalls
Circuit-Level Gateways
Packet Filter Firewalls
The OSI model provides a detailed standard for describing a network. It is useful for
describing how protocol suites, such as TCP/IP, handle network communications.
The OSI model is used in this course to describe the features and functions of
different types of security products.
Firewall vendors differentiate themselves through the implementation of their
firewall products. The differentiation lies in which layer of the OSI model thefirewall exists and therefore where the packets are examined.
3 4 Rev. 0.11
7/31/2019 05 M3 Firewall Technology
5/34
Module 3
Firewall Components
A single firewall system has several components:
Software Two types of software are at the core of a firewall system:
Application level software controls network traffic at the application
level, tracking entire transactions related to mail, web, or file transfer
services.
Packet-filtering systems operate at the network level and examine each
individual packet of data as it comes through the network, without regard
to whether the packet is part of an approved application.
Operating system Many firewalls run on standard but hardened operating
systems and include support for Microsoft Windows NT and UNIX. Some run
on modified versions or completely proprietary operating systems.
Computer hardware Some firewall hardware is proprietary, but most usestandard hardware.
Network interfaces Most firewalls are multi-homed, using separatenetwork interface cards to create a physical separation between networks.
Types of Firewalls
Firewalls can be categorized into the following types:
Packet filter gateways
Application-level firewalls
Stateful inspection firewalls
Circuit-level gateways
Rev. 0.11 3 5
7/31/2019 05 M3 Firewall Technology
6/34
Compaq Security Solutions
Packet-Filter Gateways
Internal Network
Internet
Packet FilteringGateway/Router
External Network
A packet-filter gateway can play an important role in implementing an enterprise
security policy by providing a first line of defense against unwanted intrusion.
By monitoring each packet destined for the internal network, the gateway can filter
out potentially dangerous packets.
Also known asscreening routers orpacket filter routers, a packet-filter gateway is a
router that selectively blocks and passes packets when routing them from one
network to another. It distinguishes packets based on predefined parameters, such as
the origination address or the port.Packet-filter gateways can provide an inexpensive and useful level of gateway
security. Typically, the filtering abilities come with the router software. Because you
will likely need a router to connect to the Internet, there is no extra charge for this
capability.
Packet-filtering technology is usually implemented through a router that has packet-
filtering capabilities. (Most routers have packet-filtering technology.) As shown in
the preceding graphic, a packet-filtering gateway is placed between an internal
network and an external network such as the Internet.
3 6 Rev. 0.11
7/31/2019 05 M3 Firewall Technology
7/34
Module 3
How Packet-Filtering Technology Works
Presentation
Application
Session
TransportNetwork
Data Link
Physical
Presentation
Application
Session
TransportNetwork
Data Link
Physical
Network
Data Link
Physical
Server Router Workstation
Packet filters work by distinguishing packets based on IP addresses or specific bit
patterns, and most come with router software. They reside at the network level onthe OSI model.
Packets are scanned and decisions about whether the packet should be allowed to
pass are based on the fields within the packet. The scanned fields include the source
IP address, destination IP address, TCP/UDP source port, and TCP/UDP destinationport.
Packet filters enforce their rules in an order-based manner. Packets are passed or
dropped based on their source or destination addresses or ports. In general, decisions
are based only on the content of the packet. Depending on the type of the router,filtering might be done at input time, at output time, or both.
The network administrator makes an "allow" list of acceptable machines and
services and a "deny" list of unacceptable machines and services. It is easy to permitor deny access at the host or network level with a packet filter. For example, you canpermit any IP access between host A and B, or deny any access to B from any
machine except A.
Rev. 0.11 3 7
7/31/2019 05 M3 Firewall Technology
8/34
Compaq Security Solutions
Most packet filter devices operate in the following manner:
1. Packet filter rules are created for the device by the administrator. The rules are
stored in a specific order.
2. When a port receives a packet, the packet header is parsed. Most packet filterdevices only examine the fields in the IP, TCP, or UDP headers. Some devices
also filter on RIP, ICMP, and other layer 3 protocols.
3. The rules are applied to the packet in the order specified by the administrator.
4. If a rule blocks the transmission or reception of a packet, the packet is rejected.
5. If a rule allows the transmission or reception of a packet, the packet is allowedto pass.
6. If a packet does not satisfy any rule, it is blocked. (This rule follows the
philosophy "that which is not expressly permitted is denied.")
3 8 Rev. 0.11
7/31/2019 05 M3 Firewall Technology
9/34
Module 3
Advantages and Disadvantages
The advantages of packet filtering include:
Cost In most cases the technology is included with the router.
Ease of Implementation It is transparent to applications. No changes are
required to client and host applications because it operates at the IP and TCP
layers of the OSI model.
Performance It provides relatively fast throughput.
The disadvantages of packet filtering include:
Limited Security It does not screen above the network layer in the OSI
model. Packet filters are incapable of providing communication-derived orapplication-derived state information. They cannot recognize the context of a
given communication, which makes them more vulnerable to allowing
unauthorized access to a network.
Administration It is difficult to configure, monitor, and manage. Without
an in-depth knowledge of TCP and UDP port utilization, it is difficult tocontrol access to individual services.
Auditing It does not provides logging and alerting mechanisms.
Vulnerability Packet-filtering systems are subject to IP spoofing attacks.
They are unable to protect against application-level attacks and can besusceptible to sophisticated IP fragmentation and IP source routing attacks.
Flexibility Packet-filtering technology does not handle services well that
involve random port numbers.
Performance As the number of rules are increased on a packet filter router,
performance is degraded.
Order-dependent rules Rules written for packet-filtering systems are
highly order-dependent. If the rules are ordered incorrectly, unwanted
connections might be allowed. Therefore, packet-filtering systems are subject
to misconfiguration and the likelihood of misconfiguration increases as rulesare added.
Exposure Packet-filtering systems do not automatically hide network and
system addresses from public view.
Rev. 0.11 3 9
7/31/2019 05 M3 Firewall Technology
10/34
Compaq Security Solutions
Packet Filtering Summary
In summary, packet-filter gateways are often used as the first line of defense against
an untrusted network. Packet filtering provides an efficient way to control networktraffic.
However, packet-filtering technologies do not address many security requirements
because they have incomplete information to work with. Only network and transportlayer information, such as IP addresses, port numbers, and TCP flags, is availablefor filtering decisions.
Most security policies require a finer degree of control than that allowed by packet-
filter gateways. In most cases, the security policy will require the ability to define
access to specific services for hosts that are otherwise untrusted. For example, youmight want to allow any host to connect to machine A, but only to send or receive
mail. Other services might not be permitted. Although packet filtering will allow
some control at this level, it is a risky and error-prone process. To do it correctly,
you must have intimate knowledge of TCP and UDP port utilization on variousoperating systems.
Packet-filtering devices such as screening routers are often augmented by other
devices, such as firewall applications running on dedicated firewall servers.
3 10 Rev. 0.11
7/31/2019 05 M3 Firewall Technology
11/34
Module 3
Application-Level Firewalls
Presentation
Application
Session
Transport
Network
Data Link
Physical
Presentation
Application
Session
Transport
Network
Data Link
Physical
Server Workstation
Presentation
Application
Session
Transport
Network
Data Link
Physical
HTTPTelnet FTP
Application-level gateways (firewalls) are programmed to recognize the network
traffic at the user application level of the OSI model. They can therefore provide
access controls at a user level and application-protocol level.
Application-level firewalls improve on security by examining all application layers,
bringing context information into the decision process. Technically, this is
accomplished by breaking the traditional client/server model because each
client/server connection requires two connections:
One from the client to the firewall
One from the firewall to the server
This process is known asproxyinga connection.
An application-level firewall provides a set of application-specific security proxies
that evaluate all attempts to pass data into and out of the protected network. A proxy
is a unique application that forwards and filters connections for services such asTELNET, FTP, and HTTP. The host computer running the proxy service or services
is known as an application gateway.
This type of firewall allows for the evaluation of each connection rather than each
packet. Packets are only allowed to pass for an existing proxy with an establishedand authorized network connection. This also prevents other untrusted services from
being implemented without the firewall administrators knowledge.
Rev. 0.11 3 11
7/31/2019 05 M3 Firewall Technology
12/34
Compaq Security Solutions
Protocols can also be filtered. For example, the FTP proxy might allow FTP GET
connections, but deny the use of the FTP PUT command. Application-levelgateways also include information hiding (or address translation), authentication,
and logging.
Although application-layer firewalls are more secure than packet-filter routers, they
tend to perform slower than their counterparts working at other OSI levels.
For each application that is relayed, application-level gateways use special-purposecode. Because of this special-purpose code, application-level firewalls provide a
high level of security. For each new type of application added to the network that
requires protection, new special-purpose code must be written. Therefore, mostapplication-level gateways provide a limited subset of basic applications and
services.
3 12 Rev. 0.11
7/31/2019 05 M3 Firewall Technology
13/34
Module 3
Advantages and Disadvantages
The main advantages of application-layer firewalls include:
No worry about interactions between different sets of filter rules
The ability to log and control all incoming and outgoing traffic.
Good security
Full application-layer awareness
Disadvantages include:
Each service requires its own application layer gateway. A specialized userprogram or variant user interface is required for most services provided.
The implementation at the application layer might be detrimental to
performance.
Proxies cannot provide for UDP, RPC, and other services from commonprotocol families.
Most proxies are not transparent.
The firewall is vulnerable to operating system and application level bugs.
Information contained in lower layers of the OSI model is overlooked.
Email is often passed through an application-level gateway, regardless of the
technologies used to implement the rest of the overall firewall structure.
Application gateways are often used in conjunction with other gateway designs,packet filters, and circuit-level relays.
Rev. 0.11 3 13
7/31/2019 05 M3 Firewall Technology
14/34
Compaq Security Solutions
Application-Level Firewalls Compared to Packet Filters
Packet
Filter
Application-Level
Firewall
Packets from inside the network
are passed outside unchanged
This makes a packet filter
susceptible to spoofing
Packets passed through the
firewall are rewritten with the
firewalls IP address
All internal IP addresses are
completely hidden
The following table provides a comparison of packet filter and application-leveltechnologies.
Packet Filter Application-Level Firewall
All packets compared to a list of rules All network traffic forced to the applicationlevel for authorization
All packets allowed unless explicitly denied No traffic allowed through unless explicitlyallowed
No authentication of users User and service authentication (ability toexamine data and state)
Minimal logging Extensive logging
3 14 Rev. 0.11
7/31/2019 05 M3 Firewall Technology
15/34
Module 3
Stateful-Inspection Firewalls
Presentation
Application
Session
Transport
Network
Data Link
Physical
OSIModel
Stateful Inspection Firewalls
Stateful-inspection firewalls analyze all protocol layers and compare currentsessions to previous sessions to detect suspicious activity.
Stateful-inspection firewalls reside below the network layer, at the lowest software
level. All packets are intercepted and analyzed before they reach the operatingsystem. Stateful-inspection firewalls do not depend on predefined application
information (proxies), but instead use business rules defined by the user.
State information, derived from past communications and other applications, is a
key factor in making the control decision for new communication attempts.
Rev. 0.11 3 15
7/31/2019 05 M3 Firewall Technology
16/34
Compaq Security Solutions
Advantages and Disadvantages
The advantages of stateful-inspection technology include:
Good security
Full application-layer awareness
High performance
Scalability
Extensibility
Transparency
The disadvantages of stateful-inspection technology include:
IP-level controls do not offer protection against application-level attacks.
Evaluation and logging of each packet against a list of open connections can be
CPU-intensive and can result in degradation of network traffic through the
firewall.
Rules are highly order-dependent and can be difficult to configure.
3 16 Rev. 0.11
7/31/2019 05 M3 Firewall Technology
17/34
Module 3
Circuit-Level Firewalls
A circuit-level gateway (also known as circuit-level proxies) relays TCP
connections. It operates at the session level only. Incoming traffic connects to a TCPport on the gateway and the gateway then relays the connections to their destination.
After a session has been established, the firewall might allow any type of traffic to
pass through. No extra processing or filtering of the protocol occurs. The relayservices do not examine the bytes that flow through them.
Secure circuit-level gateways include controls such as time limits on the connection,a list of users allowed to access the port, and user authentication.
Some circuit-level gateways distinguish what packets to pass by checking them
against a memory-resident database to verify their validity. They might also provide
protection for some common types of attacks, such as DNS and FTP attacks and IPaddress spoofing. Some circuit-level gateways can also perform network address
translation.
Because circuit-level gateways operate at the session level, they can allow any kind
of traffic once a session has been established. This is the main disadvantage ofcircuit-level gateways.
Rev. 0.11 3 17
7/31/2019 05 M3 Firewall Technology
18/34
Compaq Security Solutions
Introduction to Firewall Servers
Internal Network
Internet
External Network
Firewall Server
Firewall servers are widely used to give users access to the Internet in a secure
fashion, as well as to separate a companys public web server from its internal
network.
Firewall servers are also used to keep internal network segments more secure. Afirewall server lets authorized communication travel freely between internal and
external networks
A firewall server controls all traffic traveling between two networks and examines
content as it comes through. Content is examined based on rules that specify theactions for the firewall to take on every packet it receives.
3 18 Rev. 0.11
7/31/2019 05 M3 Firewall Technology
19/34
Module 3
Firewall Server Placement
Staging ServerIP: 11.11.11.5
Intranet Production
Departmental Web ServerIP: 10.10.10.5
Internet
Staging
Production ServerIP: 122.201.55.5
FirewallFirewallFirewall
RouterIP: 130.210.30.1
ManagementConsole
IP: 11.11.11.12
ManagementConsole
IP: 122.201.55.12
ManagementConsole
IP: 10.10.10.12
Content CreationClient
IP: 10.10.10.10
The preceding graphic illustrates that firewall servers can be located in various
places throughout the network.
Typically, firewall servers are placed between an organization and the outside
world. However, firewalls can be used internally to isolate certain network
segments.
Rev. 0.11 3 19
7/31/2019 05 M3 Firewall Technology
20/34
Compaq Security Solutions
Firewall Server Configurations
Internal Network
Dual-HomedHost
Firewall
Internet
The term multi-homed hostdescribes a host computer that has multiple NICs.
Usually, each NIC is connected to a separate network or network segment. This
multi-homed host can route traffic between the network segments, functioning in arouter capacity.
If the routing function in the multi-homed host is disabled, the host can provide
network traffic isolation between the networks it connects to and yet each network
will be able to process applications on the host. If the applications permit, thenetworks can share data.
Consider two firewall configurations:
A dual-homed firewall system
A tri-homed firewall system
3 20 Rev. 0.11
7/31/2019 05 M3 Firewall Technology
21/34
Module 3
Dual-Homed Firewall Configuration
InternalNetwork
NIC
NIC
Firewall
Internet
A dual-homed host architecture is built around the dual-homed host computer,which is a computer that has at least two network interfaces. This host can act as a
router between the networks these interfaces are attached to. It is capable of routing
IP packets from one network to another.
A dual-homed firewall contains two network interfaces. One of these interfaces isattached to a trusted network. The other interface is attached to an untrusted
network, such as the Internet.
Note
An exposed gateway or firewall machine is often called a bastion host. A
bastion host is any firewall host that is critical to network security. The bastionhost gets its name from the highly fortified projections on the outer walls of
medieval castles.
The dual-homed host is the basic configuration used in firewalls. To implement a
dual-homed host architecture, disable the routing function. IP packets from onenetwork (for example, the Internet) are not directly routed to the other network.
Systems inside the firewall and outside the firewall can communicate with the dual-
homed host, but these systems cannot communicate directly with each other. IP
traffic between them is completely blocked. The only path between the networks is
through an application layer function. If the routing is accidentally misconfigured sothat IP forwarding is enabled, it is possible for the application layer functions of the
dual-homed firewalls to be bypassed.
Rev. 0.11 3 21
7/31/2019 05 M3 Firewall Technology
22/34
Compaq Security Solutions
Security Risks with a Dual-Homed Firewall
Because the firewall server is exposed to the Internet and is a main point of contact
for internal network users, it is vulnerable to attack and therefore must be highly
secured.
The biggest threat to a dual-homed firewall is direct login access to the dual-homed
host. If direct login at the host occurs, the intruder can reconfigure the host. Logins
from external networks should require a strong authentication.
!Important
If users are allowed to log in to the firewall machine directly, the firewall
security can be compromised.
The only access to the firewall host itself should be through either the console orsecure remote access. To prevent circumvention of the firewall, no user accounts
should be permitted on the system.
To protect the dual-homed host, consider taking the following precautions:
Remove programming tools such as compilers.
Use disk partitions so that an intrusion to fill all disk space on the partition willbe confined to that partition.
Remove unneeded system and special accounts.
Delete unneeded network services.
3 22 Rev. 0.11
7/31/2019 05 M3 Firewall Technology
23/34
Module 3
Tri-Homed Firewall Configuration
Intranet
Internet
External Network
Firewall Server
DMZ
RouterRouter
WebServer FTPServer MailServer
A tri-homed firewall contains three network interfaces. The third network interface
creates a DMZ (demilitarized zone) that stands between the private and hostile
networks.
Typically, the DMZ will contain hosts whose information is less critical ifcompromised. The private network houses hosts whose information is most critical,
and will probably be accessed only by other internal hosts.
Rev. 0.11 3 23
7/31/2019 05 M3 Firewall Technology
24/34
Compaq Security Solutions
Multiple Firewall Configuration
Intranet
Internet
External NetworkDMZ
Router
WebServer
FirewallFirewall
Many sites that perform e-commerce or other types of customer transactions use a
two-layered firewall approach.
In this configuration, the web server is on a protected, outside network that isisolated from the main corporate network.
This type of network is referred to as a DMZ network. The advantage of a DMZ
configuration is that if the web server outside is compromised, it does not provide a
foothold for attacking the protected network.
3 24 Rev. 0.11
7/31/2019 05 M3 Firewall Technology
25/34
Module 3
Firewall Server Behind a Packet-Filtering Router
Internal Network
Internet
Packet FilteringGateway/Router
External Network
Firewall Server
A common strategy is to place a packet-filtering router between a firewall server andthe untrusted network, which introduces another line of defense. In this
configuration, you configure the packet-filtering router so that it sends all network
traffic to the firewall server after applying its filter rules to the network traffic.
Only traffic that passes the filter rules is diverted to the firewall server. All othertraffic is rejected. An intruder must first penetrate the packet-filtering router before
contending with the firewall server.
Rev. 0.11 3 25
7/31/2019 05 M3 Firewall Technology
26/34
Compaq Security Solutions
The path of network traffic as applied to the OSI model is illustrated as follows:
Presentation
Application
Session
Transport
Network
Data Link
PhysicalExternal
Network
Firewall
Internal
Network
Network
Data Link
Physical
Packet-Filter
Router
3 26 Rev. 0.11
7/31/2019 05 M3 Firewall Technology
27/34
Module 3
Evaluating Firewalls
When evaluating firewall implementations, at a minimum the implementation
should include the following features:
Authentication
Protection from common attacks
Activity logging
Rules
Additional firewall features might include:
Alerting
Suspicious activity monitoring
Virtual private networking
URL/news blocking
Code scanning and virus scanning Address translation
Rev. 0.11 3 27
7/31/2019 05 M3 Firewall Technology
28/34
Compaq Security Solutions
Authentication
Authentication is the process of determining that a user is who he or she claims to
be. This might be a user logging on to a machine or one host machinecommunicating with another host machine.
Several types of authentication exist. The types of authentication measures you take
will be based on the importance of the resource you are trying to protect.A firewall should provide authentication services so only specific users can enter.
Authentication can be either weak or strong. Weak authentication allows the samepassword to be used repeatedly and is more typically associated with internal users
accessing the Internet. Strong authentication uses a different password every time
and is best for external users accessing the intranet.
For users accessing a particular device, your authentication options (in order ofcomplexity and security) include:
Passwords
One-time passwords
Smart cards
Biometrics
Cryptography
Authorization
3 28 Rev. 0.11
7/31/2019 05 M3 Firewall Technology
29/34
Module 3
Protection from Common Attacks
Most firewalls protect against common Internet attacks that occur at the network
level, such as IP spoofing, SYN Flood, or the Ping of Death. Attacks that occur atthe application level, such as buffer overrun, specific application commands, and
filtering of URLs, can only be prevented by application-level firewalls, which
examine the application data streams. Packet-filtering firewalls cannot prevent these
attacks because they only see parts of the stream.
The International Computer Security Association (ISCA) is an independent body
that certifies firewalls for minimum functionality.
For more information about ISCA, refer to www.isca.net.
To receive certification, a product must resist all common attacks in accordance with
these criteria:
No measure of administrative control of the firewall or underlying operating
system may become available to the attacker. Protocol or data content other than TELNET, FTP, HTTP, SSL/SHTTP,
SMTP, and DNS must not be passed through the firewall and be carried on the
internal network.
The product must not be trivially rendered inoperable by network-based denialof service attacks, with these exceptions:
The product must have a documented fail-safe mechanism for removing
itself from service according to a declared policy.
If a denial of service attack is widely recognized as having no defense,
the product must provide a log-based alert prior to failing.
Rev. 0.11 3 29
7/31/2019 05 M3 Firewall Technology
30/34
Compaq Security Solutions
Activity Logging
A firewall should provide a log of each request it receives. At a minimum, the entry
will include the source of the request, the destination, the protocol, a time stamp,and the result of the request.
Of primary concern is the readability of the logs, the ability to scan or query the
logs, and the ability to compress the logs.For the greatest security, place the log file on a separate drive partition or machine.
Examining the log can reveal whether the firewall is withstanding probes and
attacks, and determines whether the controls on the firewall are adequate.
Rules
Usually a firewall determines what traffic may pass through by applying rules.These rules express the security policy to the firewall in one of two ways:
That which is not expressly permitted is prohibited.
That which is not expressly prohibited is permitted.
3 30 Rev. 0.11
7/31/2019 05 M3 Firewall Technology
31/34
Module 3
Additional Features
Additional features that to consider depending upon your organizations needs
include:
Alerting The firewall alerts the administrator when an attack occurs.
Suspicious activity monitoring The firewall detects unusual activity and
alerts the administrator. In some cases, the administrator might be able todefine the activities that are considered suspicious.
Virtual private networking The firewall provides the ability to establish
secure, private communication with another network through the Internet.VPNs use encryption and encapsulation technology to create a private
passageway, or tunnel, through the Internet.
URL/news blocking The firewall provides the ability to restrict
information that is not appropriate for a business environment.
Code scanning and virus scanning The firewall provides the ability toscan for malicious code or viruses being introduced into the private network
from the Internet.
Address translation On many networks, it is necessary to hide internal
network addresses from external users to make internal nodes less vulnerableto attack. This also allows the internal network to use IP addresses
indiscriminately. From the outside, it looks like the network only has only one
or just a few IP addresses.
Rev. 0.11 3 31
7/31/2019 05 M3 Firewall Technology
32/34
Compaq Security Solutions
Firewall Deployment Procedures
To deploy a firewall, you should use the following general steps:
1. Create a security policy that defines what, why, and how computing resources
are to be protected. This includes well-defined access rules such as:
Allow inside users access to the Internet using web protocols (HTTP).
Allow email traffic in both directions using Internet mail protocols
(SMTP).
Allow inside users to access Internet servers using FTP.
Deny all other access.
2. Choose the right firewall components to enforce the security policy. Thefirewall system must be capable of supporting the access rules you defined.
3. Reconfigure the network's domain name system (DNS) to accommodate the
placement of the firewall.
4. Configure the firewall's access rules, logging, notification, and addresstranslation features to match the security policy. Some firewalls can be pluggedin with little configuration.
5. Perform a security scan against the firewall system. In other words, try to
invade your own network. Some scanning tools, such as ISS and SATAN,
break into the firewall, not through it. Other tools try to break through afirewall.
After you have a firewall in place, perform periodic security scans and audits to
ensure continuous firewall integrity.
3 32 Rev. 0.11
7/31/2019 05 M3 Firewall Technology
33/34
Module 3
Review Questions
1. List the main types of firewalls.
.................................................................................................................................
.................................................................................................................................
.................................................................................................................................2. Describe how packet-filtering gateways work.
.................................................................................................................................
.................................................................................................................................
.................................................................................................................................
.................................................................................................................................
3. Briefly explain how application-level firewalls work.
.................................................................................................................................
.................................................................................................................................
.................................................................................................................................
.................................................................................................................................
4. Briefly explain how stateful inspection firewalls work.
.................................................................................................................................
.................................................................................................................................
.................................................................................................................................
.................................................................................................................................
5. Briefly explain how circuit-level firewalls work.
.................................................................................................................................
.................................................................................................................................
.................................................................................................................................
.................................................................................................................................
6. Describe how a DMZ is created with a firewall server.
.................................................................................................................................
.................................................................................................................................
.................................................................................................................................
.................................................................................................................................
Rev. 0.11 3 33
7/31/2019 05 M3 Firewall Technology
34/34
Compaq Security Solutions
7. What is the advantage of placing a firewall server behind a packet filtering
gateway?
.................................................................................................................................
.................................................................................................................................
.................................................................................................................................
.................................................................................................................................8. What key features would you evaluate when deciding upon a firewall solution?
.................................................................................................................................
.................................................................................................................................
.................................................................................................................................
.................................................................................................................................
9. List the general steps you would follow to deploy a firewall.
.................................................................................................................................
.................................................................................................................................
.................................................................................................................................
.................................................................................................................................
.................................................................................................................................